Excuse Me, 
May I Borrow 
Your Passwords? 

Copyright 2002 
By Mike Delaney

Some time ago, I was one of the most prolific contributors to one of 
the most popular newsgroups on usenet. The newsgroup's purpose 
was to provide fraudulently-obtained, but valid, passwords for websites.

Mike Delaney is a shoplifting prevention trainer with over 20 years experience as a shoplifter, and almost 10 years experience in stopping them.
. , . ,. ,

The process there is fairly straightforward: someone posts the web site address of a site that they want (free and illegal) access to. Several group members with colorful nicknames then "run" the site. If a valid username/password is found, it is emailed to the requestor, who in turn publicly heaps praise on the grantor, thus inflating his or her ego. My colorful nickname was "PassBandit", and I have a few tips for you.

The web site password authentication process is chock full of security flaws. And wherever there are security flaws, there are scads of both real- and wannabe-hackers trying to exploit them.

One of those flaws is the ability of a user to enter an infinite combination of usernames and passwords without ever being locked out by the web site. As it was relevant to "PassBandit", this flaw allowed him to run a software application that automatically tries usernames and passwords, from a supplied list, then reads whether the combination was successful by the electronic reply received from the web site. The program simultaneously tried 70 different combinations, which gave a rate of attempts in the several-hundred-per-second range. If a particular combination didn't work, the application simply tried another combination. And another. And another, until it found a combination that worked.

Of course, there are some sites -- not very many -- that I couldn't get into. And, some sites were harder than others. However, every site that I did get into had one thing in common: at least one user that made a stupid (make that "ill-informed") choice of a username and password.

Once a username and password have been compromised, and when (not if) it is eventually discovered, most sites will instantly close the account. This eliminates the fraudulent use of that password, but also screws the poor fool who actually paid for access to the site.

Here are some tips to ensure that your account is not the weak account that the other "PassBandit"s of the world compromise:

The password is more important than the username. Do not assume that because you have an unusual username (including email addresses) that you can choose a simple password. I'd say that at about 2-3% of the webservers I checked, I could obtain that site's entire list of users and their passwords. The passwords are encrypted, but the usernames are not. So, if you chose an easy password, such as "password" or "asdf", I'd have your username/password combination in amazingly short order.

Make your reminder question tough and unique. If the site offers a "secret question"-type access to your password (in case you lose it), make it something unique, such as "What is my nickname at work?". Believe it or not, a person actually had "QuestionQuestion" as his reminder question. Guess what the correct reply to his reminder question is? If you guessed "AnswerAnswer", congratulations -- the web site will now hand over the poor schmuck's password. True story!

Do not use your username as the password. Many sites will not allow this, but many still do. Similarly, do not use a password that "fits" with the username. The may be cute, clever, and easy to remember, but username:password combinations such as intel:inside, moody:blues, hewlett:packard, or foghorn:leghorn will be compromised very quickly.

Make your password at least 6 characters long. Every username and password combination is crackable with enough time and patience. Every additional character you add to your password increases the likelihood that the cracker will run out of time or patience before guessing your password. I could try every combination of letters, one to five characters in length, in an hour or two.

Use a mix of upper- and lowercase letters, and numbers -- and, if allowed, include symbols, i.e., "Hammer*shreW" or "booKbuicK-720". The more variety your password contains, the less likely that it will be guessed.

Do not use a single word as your entire password. At several hundred guesses per second, I could (and often did) go through entire unabridged dictionary files, many megabytes in size, and in several languages in no time. Combine two unrelated words, such as bookbuick or hammershrew.

Change your password frequently if the site gives you that option. Many, many compromised usernames and passwords go undetected for a long time. Change your password at least every few months. Change them more frequently at sites with your credit card or personal info, financial sites, or web-based email accounts. [Note: There is a widely-held belief that certain very HOT eMAIL sites are "unhackable". Trust me, I know this to be false for an absolute fact.]

and, finally,

Do not use the same username/password combination at multiple sites. Every successful username/password combination a cracker finds is put into a separate "1st run list". This attack list is the first list of combinations that is used against any site. Why? Because people do not want to write down, or try to remember, different password combinations for different sites. This is a very dangerous (yet very common) practice, because once a cracker has that one combination, he or she not only has access to that one site, but has guaranteed access to every site at which you are a member.

I've grown out of "PassBandit", and it no longer holds a thrill for me. Instead, I've hopped the fence and teach loss prevention topics. But there are thousands of "PassBandit"s out there looking to get your into your website stash. Don't make it easy for them.

=============About the Author=====================

Mike Delaney is a shoplifting prevention trainer with over 20 years experience as a shoplifter, and almost 10 years of experience in stopping them.

Mike is the author of "How to Beat Shoplifters and Increase Profits" available at Bison Creek Desktop Publishing http://www.zianet.com/bisoncreek 

Contact Mike at mailto:DelaneyBookReview@yahoo.com (DelaneyBookReview[at]yahoo[dot]com)

No advice on this site should be used
without first contacting a professional in that field.  

The X-Files 

The Self Improvement Kit for Christians  
Glass Blowing Instructions 
Beware Your Blessings.    
An Alchemist's Techniques
Sasssafras -- the Liquid Cleanser
Print Photos on ANY object  
Build your own web site  
How to Promise the Moon  
Credit Card Fraud on the web 
Free ScreenSavers
How to Install your ScreenSaver
Discover who your long distance carrier REALLY is. Use the Internet for Education   
Leadership in the new age  
office politics in turmoil  
password protection   
Are You Looking Good at Work?  
How many ways are there to die?  
When to Look Back 
How to help a needy family 
The A-Maizeing Corn Heater  
The Self-Contained Fireplace   
The Benefits of an Electric Stove 
Dowsing for buried treasure  
Cleaning with Kids
Magic Learning System
Living wills for women
Sure Shot Yogurt Instructions
75 Old Secret Formulas  
Instant Messenger  
Meet the Cookie Monster 
Last Look at Leap Year  
Learn to Groom Your Horse 
Violence at home and abroad  
How to Detect and Treat Ear Infections in Your Pet.  
Type faster, with less effort.  
Are Jigsaw Puzzles Educational?  

Find Out More About Everything Worth Insuring in Your Life